jwtauth.New to accept jwt.ValidateOptions

2025-12-11 13:47:41 -05:00 · 2023-11-21 15:57:10 -05:00 · 2023-11-21 15:57:10 -05:00 · fc3832839d
commit fc3832839d
parent 19f55ff778
6 changed files with 69 additions and 40 deletions
--- a/jwtauth.go
+++ b/jwtauth.go
@ -12,10 +12,11 @@ import (
 )

 type JWTAuth struct {
-	alg       jwa.SignatureAlgorithm
-	signKey   interface{} // private-key
-	verifyKey interface{} // public-key, only used by RSA and ECDSA algorithms
-	verifier  jwt.ParseOption
+	alg             jwa.SignatureAlgorithm
+	signKey         interface{} // private-key
+	verifyKey       interface{} // public-key, only used by RSA and ECDSA algorithms
+	verifier        jwt.ParseOption
+	validateOptions []jwt.ValidateOption
 }

 var (
@ -32,8 +33,13 @@ var (
 	ErrAlgoInvalid  = errors.New("algorithm mismatch")
 )

-func New(alg string, signKey interface{}, verifyKey interface{}) *JWTAuth {
-	ja := &JWTAuth{alg: jwa.SignatureAlgorithm(alg), signKey: signKey, verifyKey: verifyKey}
+func New(alg string, signKey interface{}, verifyKey interface{}, validateOptions ...jwt.ValidateOption) *JWTAuth {
+	ja := &JWTAuth{
+		alg:             jwa.SignatureAlgorithm(alg),
+		signKey:         signKey,
+		verifyKey:       verifyKey,
+		validateOptions: validateOptions,
+	}

 	if ja.verifyKey != nil {
 		ja.verifier = jwt.WithKey(ja.alg, ja.verifyKey)
@ -105,7 +111,7 @@ func VerifyToken(ja *JWTAuth, tokenString string) (jwt.Token, error) {
 		return nil, ErrUnauthorized
 	}

-	if err := jwt.Validate(token); err != nil {
+	if err := jwt.Validate(token, ja.validateOptions...); err != nil {
 		return token, ErrorReason(err)
 	}

@ -158,23 +164,26 @@ func ErrorReason(err error) error {
 // Verifier middleware request context values. The Authenticator sends a 401 Unauthorized
 // response for any unverified tokens and passes the good ones through. It's just fine
 // until you decide to write something similar and customize your client response.
-func Authenticator(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		token, _, err := FromContext(r.Context())
+func Authenticator(ja *JWTAuth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		hfn := func(w http.ResponseWriter, r *http.Request) {
+			token, _, err := FromContext(r.Context())

-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusUnauthorized)
+				return
+			}
+
+			if token == nil || jwt.Validate(token, ja.validateOptions...) != nil {
+				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+				return
+			}
+
+			// Token is authenticated, pass it through
+			next.ServeHTTP(w, r)
 		}
-
-		if token == nil || jwt.Validate(token) != nil {
-			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-			return
-		}
-
-		// Token is authenticated, pass it through
-		next.ServeHTTP(w, r)
-	})
+		return http.HandlerFunc(hfn)
+	}
 }

 func NewContext(ctx context.Context, t jwt.Token, err error) context.Context {